Safety in Access Control Take-Grant (best viewed in slide-show mode) Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

The Take-Grant Model (late 70’s, early 80’s) B t A/t (a) A/t Є dom(B) A B g B/g Original graph representation, late 70’s (b) B/g Є dom(A)

The Take-Grant Model (late 70’s, early 80’s) B t A/t (a) A/t Є dom(B) A B g B/g Lockman-Minsky representation, 1982 (b) B/g Є dom(A)

Creation in Take-Grant A’/tg A’/tg A A t g t g A’ A’ (a) The Original View (b) The Lockman-Minsky View

Reversal of Take-Grant Flow: case t B t A’/tg A/t A’/tg A/t t t g g A’

Reversal of Take-Grant Flow: case g B g B/g B/g A’/tg A’/tg t t g g A’

Reversal of Grant-Only Flow B g B/g A’/g B/g A/g A’/g g g g g A/g B/g A/g A’

Non-Reversal of Take-Only Flow B t A’/t A/t A’/t A/t t t t A/t A’

Shortening of Take-Only Flows B C t t A/t B/t A/t B/t

Summary Take-Grant, Grant only Disconnected islands of completely connected subjects with total sharing of rights within each island and no sharing across islands Take-only Original topology of flows is preserved, but existing paths can be shortened to a direct edge Send-receive Requires send and receive rights Similar to take-only in preserving original topology of flows, but existing paths cannot always be shortened to a single edge

Exercise Express take-grant, grant-only, take-only and send-receive in the HRU model Are these constructions Mono-conditional Bi-conditional Mono-operational